1. Field of the Invention
The present invention relates to a security device for a transponder having a security function, particularly with a kill and/or cloak function. The invention further relates to a method for configuring a security means, to a method for operating a transponder, and to a transponder.
2. Description of the Background Art
The invention falls within the realm of transponder technology and in particular within the field of contactless communication for the purpose of identification. Although it can be used in principle in any communication system, the present invention and its underlying problems are explained with reference to so-called RFID communication systems and their application. Here, RFID stands for “radio frequency identification.” For a general background of this RFID technology, reference is made to the “RFID-Handbuch” [RFID Handbook] of Klaus Finkenzeller, Hanser Verlag, 3rd updated edition, 2002 which has been published in English by John Wiley & Sons.
In passive and semipassive transponders, an electromagnetic signal transmitted by the base station is received and demodulated by the transponder. Passive transponders do not have their own energy supply, so that the energy required in the transponder for the demodulation, decoding, and processing of the received electromagnetic signal must be derived from this electromagnetic signal itself. In addition to the transfer of energy, a bidirectional data communication also occurs between the base station and transponder (via the so-called carrier signal).
Bidirectional data communication between the base station and transponder typically has an interrogation sequence and a response sequence. The basis for the bidirectional data transmission between the base station and transponder forms a so-called communication protocol, which specifies, in addition to the data information to be transmitted, also the control information for the data communication. An RFID communication protocol for data communication between a base station and transponder is described in the Unexamined German Patent Application DE 101 38 217 A1, which corresponds to U.S. Publication No. 20030133435.
A generic RFID method and system for bidirectional data communication is also the subject of the so-called Palomar Project, which was established by the European Commission as part of the so-called IST program. With respect to the content of this Palomar Project, reference is made to the relevant, generally available publication of Jan. 11, 2002, which was submitted as a working draft ISO 18000-6 to ISO/IEC JTC1/SC31.
For further background on bidirectional data communication between a base station and transponder, reference is made further to the Unexamined German Patent Applications DE 102 04 317 A1 and DE 100 50 878 A1 (which corresponds to U.S. Publication No. 2002044595), as well as DE 102 04 346 A1, and the European patent EP 473 569 B1 (which corresponds to U.S. Pat. No. 5,345,231).
During such data communication between a base station and transponder, depending on the application, a more or less large amount of data is exchanged between the base station and the transponder and is evaluated.
There is the need in many transponder applications to deactivate the transponder permanently or merely temporarily. In the following text, permanent deactivation will also be called the “kill function” and temporary deactivation, the “cloak function.”
There can be many different reasons for these requirements for a transponder, therefore there is a need for a kill mechanism and/or a cloak mechanism. After temporary or permanent deactivation, the transponder is no longer capable of being addressed via an electromagnetic field transmitted by a base station and send modulated response signals back to the base station. It is also incapable of performing other actions such as, for example, a storage process or a programming process.
An area of application for transponders equipped with such a so-called kill functionality are, for example, one way transponders as are used, for example, in department stores for labeling unsold products and items. After these products are sold, the transponders contained therein should be removed as easily as possible, deactivated, destroyed, or made nonfunctional in some other manner. Another area of application is, for example, disposable packaging.
For reusable products such as, for example, reusable packaging, files, etc., this functionality would also be in fact conceivable but not as desirable as in the aforementioned disposable transponders. The cloak function is therefore used in these last named areas of application, thus, for example, in reusable packaging. This enables the user to identify the specific products, contained in the reusable packaging, according to their need, via an activated transponder. After this identification or alternatively after the removal of the respective products from the reusable packaging, the transponder contained in the reusable packaging can be temporarily deactivated, so that it does not pick up in an undesired manner a data communication with a base station in its vicinity.
This cloak functionality is also particularly suitable for fields of application in which the transponder is assigned to security-relevant products and thus also contains security-relevant information. In this case, the transponder can be deactivated temporarily, for example, when the specific security-relevant products are not to be read during this time period, because they are being transported, for example.
In an implementation of a kill function and/or cloak function in modern RFID systems, however, there are special requirements for these:
The most important criterion is the security of these functions; i.e., when a kill/cloak function is activated, it may not be circumvented;
It is also essential that an implementation of the kill/cloak function is as cost-effective as possible in order not to increase the cost of the transponder unduly thereby;
The function should be activatable as easily as possible, advantageously electronically with use of the transponder's protocol mechanism;
Finally it should be possible to check a successful activation of the kill/cloak mechanism and a successfully deactivation of the kill/cloak mechanism.
There are several possibilities for implementing a security device in modern transponders, which have a kill function and/or cloak function; some of these generally known security devices will be described briefly below.
The simplest but not necessarily the best option for implementing the indicated functionalities, is to remove (deactivate) the specific transponders from the corresponding packaging of the product and to apply them again if required (activation). Nevertheless, this requires extraordinary effort, particularly in the case of many products equipped with transponders, and is therefore not very feasible. Moreover, the transponders frequently cannot be removed, because they are embedded in the product or even are a component of these products.
Another option is to destroy the particular transponders permanently, for example, by mechanical destruction, by, for example, a defined burning out of the protection within the transponder (fuse mechanism), or also by destroying the transponder antenna. All mechanisms are based on the destruction of the function of the transponder. A problem, however, is a desired verification of whether inoperability of the transponder, which was associated with the destruction, was achieved. In this case, destructive interventions in the transponders are not suitable, because these can also be repaired, if desired, which is to be avoided as much as possible.
For the noted reasons, in modern RFID systems, equipped with a kill/cloak function, these functions of the transponder are initiated electronically.
According to a first method of this type, the kill function is activated by the deletion of at least part of the memory of the transponder, which immediately closes down the transponder. Moreover, a suitable bit, which signals the closing down of the transponder, is read by the transponder according to a POR process (POR=power on reset) or cyclically and stored in a flip-flop. The status of the flip-flop then blocks the further functionality of the transponder. A disadvantage of this solution, however, is that, for example, the flip-flop can lose its stored value due to operating voltage variations above the POR threshold, so that access to the transponder is again possible. This is a situation, however, that should be avoided as much as possible.
For these reasons, in modern transponders, the kill/cloak functions are activated by a transponder-internal protocol mechanism. In this case, preferably, a digital password is transmitted to the transponder at the protocol level, which is known only by the transponder, in addition to an authorized user, and typically cannot be read by the base station. If this password is transmitted to the transponder, the kill/cloak function is activated. A desired security can be set thereby depending on the bit width of the digital password.
However, this solution as well has significant disadvantages.
Ideally, the password should only be known to the authorized user who is authorized to activate and/or deactivate a kill/cloak function in a transponder. However, this password is also typically accessible to other individuals, in addition to the authorized user. This type of security sink results inevitably in that certain information must be divulged by the authorized user to the developer and/or manufacturer of the transponder equipped with such a security device for implementing the security system, for example, by an employed password and by specific circuitry design of a security device. Admittedly, these companies of course handle all of this information very confidentially, but an element of risk always remains that the confidential information reaches an unauthorized user. The authorized user, therefore, can never be totally certain that their password and therefore access to their security device is not also known by groups of other individuals and used by these other individuals.
Another problem is that users pragmatically tend to limit the total number of employed passwords in order to limit as much as possible their own logistic efforts, especially for reasons of cost. In addition, the length of a password is frequently determined by protocol or by the system. A limited number of passwords and/or a limited length of these passwords also make it easier for an unauthorized user to decode these passwords.
Moreover, in addition, the security level of this type of security device is fixed in each case by the protocol of the data transmission.
All in all, however, this means that the current, generally known security devices, which use a transponder-internal protocol mechanism for realizing the kill/cloak function, do not offer sufficient security, particularly for security-relevant applications. This is a situation that is not acceptable, especially in the case of security-relevant products, and is not accepted, most notably, by many customers of such products.